Home
Projects
Resources
Alternatives
Blog
Sign In
Security Content Versions
Save
Splunk Security Content
Overview
Versions
Reviews
Resources
v4.30.0
3 weeks ago
Release notes
New Analytics Story
Okta Account Takeover
Windows AppLocker
Zscaler Browser Proxy Threats
Updated Analytics Story
Azure Active Directory Account Takeover
Compromised User Account
GCP Account Takeover
New Analytics
Okta Authentication Failed During MFA Challenge
Okta IDP Lifecycle Modifications
Okta Multi-Factor Authentication Disabled
Okta Multiple Accounts Locked Out
Okta Multiple Failed MFA Requests For User
Okta Multiple Users Failing To Authenticate From Ip
Okta Successful Single Factor Authentication
Okta Unauthorized Access to Application
O365 Compliance Content Search Exported
O365 Compliance Content Search Started
O365 Elevated Mailbox Permission Assigned
O365 Mailbox Email Forwarding Enabled
O365 Mailbox Folder Read Permission Assigned
O365 Mailbox Folder Read Permission Granted
O365 New Email Forwarding Rule Created
O365 New Email Forwarding Rule Enabled
O365 New Forwarding Mailflow Rule Created
O365 Security And Compliance Alert Triggered
Okta User Logins From Multiple Cities
Windows AppLocker Block Events
Windows AppLocker Execution from Uncommon Locations
Windows AppLocker Privilege Escalation via Unauthorized Bypass
Windows AppLocker Rare Application Launch Detection
Windows Unsigned MS DLL Side-Loading
Zscaler Adware Activities Threat Blocked
Zscaler Behavior Analysis Threat Blocked
Zscaler CryptoMiner Downloaded Threat Blocked
Zscaler Employment Search Web Activity
Zscaler Exploit Threat Blocked
Zscaler Legal Liability Threat Blocked
Zscaler Malware Activity Threat Blocked
Zscaler Phishing Activity Threat Blocked
Zscaler Potentially Abused File Download
Zscaler Privacy Risk Destinations Threat Blocked
Zscaler Scam Destinations Threat Blocked
Zscaler Virus Download threat blocked
Updated Analytics
Email Attachments With Lots Of Spaces
Okta MFA Exhaustion Hunt
Okta Mismatch Between Source and Response for Verify Push Request
Okta Multiple Failed Requests to Access Applications
Okta New API Token Created
Okta New Device Enrolled on Account
Okta Phishing Detection with FastPass Origin Check
Okta Risk Threshold Exceeded
Okta Suspicious Activity Reported
Okta Suspicious Use of a Session Cookie
Okta ThreatInsight Threat Detected
Suspicious Email Attachment Extensions
O365 Admin Consent Bypassed by Service Principal
O365 ApplicationImpersonation Role Assigned
O365 Mailbox Inbox Folder Shared with All Users
O365 PST export alert
Prohibited Software On Endpoint
Detect Use of cmd exe to Launch Script Interpreters
Detection of tools built by NirSoft
Excessive File Deletion In WinDefender Folder
(External Contributor : @nterl0k )
Linux Account Manipulation Of SSH Config and Keys
Linux Deletion of SSL Certificate
Malicious Powershell Executed As A Service
Registry Keys Used For Persistence
SchCache Change By App Connect And Create ADSI Object
Suspicious Regsvr32 Register Suspicious Path
Windows Data Destruction Recursive Exec Files Deletion
(External Contributor : @nterl0k )
Windows High File Deletion Frequency
External Contributor : @nterl0k )
Windows MSHTA Writing to World Writable Path
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
SMB Traffic Spike
SMB Traffic Spike - MLTK
Web Remote ShellServlet Access
Macros Added
applocker
zscaler_proxy
Macros Updated
okta
Lookups Added
applockereventcodes
Other Updates
Added a new dashboard ESCU - AppLocker, Navigate to your Dashboards and search for "ESCU - AppLocker" to assist with auditing and monitoring Windows AppLocker events for your endpoints (Splunk Enterprise 9.x.x version and above only)
v4.29.0
1 month ago
Release notes
New Analytics Story
APT29 Diplomatic Deceptions with WINELOADER
Outlook RCE CVE-2024-21378
Updated Analytics Story
New Analytics
Windows InProcServer32 New Outlook Form
Windows MSHTA Writing to World Writable Path
Windows New InProcServer32 Added
Windows Phishing Outlook Drop Dll In FORM Dir
Windows SqlWriter SQLDumper DLL Sideload
Updated Analytics
CertUtil With Decode Argument
v4.28.0
1 month ago
New Analytics
Splunk Authentication Token Exposure in Debug Log
Updated Analytics
Splunk Command and Scripting Interpreter Risky Commands
ASL AWS Concurrent Sessions From Different Ips
Gsuite Outbound Email With Attachment To External Domain
Detect Excessive Account Lockouts From Endpoint
Detect Excessive User Account Lockouts
Short Lived Windows Accounts
Windows Create Local Account
Playbooks Updated
Active Directory Enable Account Dispatch
v4.27.0
1 month ago
Updated Analytics Story
Cyclops Blink
Sneaky Active Directory Persistence Tricks
New Analytics
Windows Credential Access From Browser Password Store
Windows Known Abused DLL Created
(External Contributor : @nterl0k )
Updated Analytics
Okta User Logins From Multiple Cities
Path traversal SPL injection
Splunk User Enumeration Attempt
AWS Concurrent Sessions From Different Ips
AWS Credential Access RDS Password reset
Kubernetes Nginx Ingress LFI
Kubernetes Nginx Ingress RFI
Kubernetes Previously Unseen Process
O365 Multiple Users Failing To Authenticate From Ip
Detect AzureHound Command-Line Arguments
Detect AzureHound File Modifications
Detect SharpHound Command-Line Arguments
Detect SharpHound File Modifications
Detect SharpHound Usage
Disabling Windows Local Security Authority Defences via Registry
Linux Iptables Firewall Modification
Linux Kworker Process In Writable Process Path
Linux Stdout Redirection To Dev Null File
Network Traffic to Active Directory Web Services Protocol
System Information Discovery Detection
Windows SOAPHound Binary Execution
Lookups Added
browser_app_list
hijacklibs_loaded (External Contributor : @nterl0k )
Playbooks Updated
All playbook yamls updated to use a list of D3FEND IDs
v4.26.0
2 months ago
New Analytics Story
JetBrains TeamCity Vulnerabilities
Updated Analytics Story
New Analytics
Cloud Security Groups Modifications by User
Detect Remote Access Software Usage File
(External Contributor : @nterl0k )
Detect Remote Access Software Usage FileInfo
(External Contributor : @nterl0k )
Detect Remote Access Software Usage Process
(External Contributor : @nterl0k )
Windows Multiple Account Passwords Changed
Windows Multiple Accounts Deleted
Windows Multiple Accounts Disabled
Detect Remote Access Software Usage DNS
(External Contributor : @nterl0k )
Detect Remote Access Software Usage Traffic
(External Contributor : @nterl0k )
High Volume of Bytes Out to Url
Detect Remote Access Software Usage URL
(External Contributor : @nterl0k )
JetBrains TeamCity Authentication Bypass CVE-2024-27198
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
Nginx ConnectWise ScreenConnect Authentication Bypass
Updated Analytics
AWS IAM Delete Policy
(External Contributor: @ep3p )
O365 Multiple Users Failing To Authenticate From Ip
ConnectWise ScreenConnect Authentication Bypass
JetBrains TeamCity RCE Attempt
Macros Added
nginx_access_logs
suricata
Macros Updated
Lookups Added
Lookups Updated
remote_access_software
Playbooks Added
G Suite for Gmail Message Eviction
G Suite for Gmail Search and Purge
MS Graph for Office 365 Message Eviction
MS Graph for Office 365 Message Identifier Activity Analysis
MS Graph for Office 365 Message Restore
MS Graph for Office365 Search and Purge
MS Graph for Office365 Search and Restore
Playbooks Updated
Other Updates
Added a new script and a CI job to automatically upload the package to Splunkbase using a service account
Create SSA-Content-latest.tar.gz in the generate_ba CI job
v4.25.0
2 months ago
Release notes for ESCU v4.25.0
New Analytics Story
ConnectWise ScreenConnect Vulnerabilities
Snake Keylogger
WordPress Vulnerabilities
Updated Analytics Story
New Analytics
ConnectWise ScreenConnect Path Traversal
ConnectWise ScreenConnect Path Traversal Windows SACL
Windows Non Discord App Access Discord LevelDB
Windows Time Based Evasion via Choice Exec
Windows Unsecured Outlook Credentials Access In Registry
ConnectWise ScreenConnect Authentication Bypass
WordPress Bricks Builder plugin RCE
Updated Analytics
Detect Regasm Spawning a Process
Download Files Using Telegram
Executables Or Script Creation In Suspicious Path
High Process Termination Frequency
Linux Edit Cron Table Parameter
Non Chrome Process Accessing Chrome Default Dir
Non Firefox Process Access Firefox Profile Dir
Processes launching netsh
Registry Keys Used For Persistence
Suspicious Driver Loaded Path
Suspicious Process DNS Query Known Abuse Web Services
Suspicious Process Executed From Container File
Windows Credentials from Password Stores Chrome LocalState Access
Windows Credentials from Password Stores Chrome Login Data Access
Windows File Transfer Protocol In Non-Common Process Path
Windows Gather Victim Network Info Through Ip Check Web Services
Windows Phishing PDF File Executes URL Link
Windows System Network Connections Discovery Netsh
Windows User Execution Malicious URL Shortcut File
WinEvent Scheduled Task Created Within Public Path
Other Updates
Updated contentctl to output accurate providing technologies in savedsearches.conf
v4.24.0
2 months ago
Release notes for ESCUv4.24.0
New Analytics Story
Office 365 Collection Techniques
Phemedrone Stealer
Updated Analytics Story
NOBELIUM Group
New Analytics
Azure AD Admin Consent Bypassed by Service Principal
Azure AD FullAccessAsApp Permission Assigned
Azure AD Multiple Service Principals Created by SP
Azure AD Multiple Service Principals Created by User
Azure AD Privileged Graph API Permission Assigned
Azure AD Service Principal Authentication
O365 Admin Consent Bypassed by Service Principal
O365 FullAccessAsApp Permission Assigned
O365 Multiple Mailboxes Accessed via API
O365 Multiple Service Principals Created by SP
O365 Multiple Service Principals Created by User
O365 OAuth App Mailbox Access via EWS
O365 OAuth App Mailbox Access via Graph API
O365 Privileged Graph API Permission Assigned
Network Traffic to Active Directory Web Services Protocol
Windows Privilege Escalation Suspicious Process Elevation
(External Contributor : @nterl0k )
Windows Privilege Escalation System Process Without System Parent
(External Contributor : @nterl0k )
Windows Privilege Escalation User Process Spawn System Process
(External Contributor : @nterl0k )
Windows SOAPHound Binary Execution
Ivanti Connect Secure SSRF in SAML Component
Updated Analytics
Splunk unnecessary file extensions allowed by lookup table uploads
Azure AD High Number Of Failed Authentications From Ip
Azure AD Multi-Source Failed Authentications Spike
Azure AD Privileged Role Assigned
Azure AD Privileged Role Assigned to Service Principal
Azure AD Service Principal Created
Azure AD Service Principal New Client Credentials
Azure AD Service Principal Owner Added
Azure AD Tenant Wide Admin Consent Granted
O365 Added Service Principal
O365 Application Registration Owner Added
O365 ApplicationImpersonation Role Assigned
O365 Mailbox Inbox Folder Shared with All Users
O365 Mailbox Read Access Granted to Application
O365 Multi-Source Failed Authentications Spike
O365 Multiple Users Failing To Authenticate From Ip
O365 Service Principal New Client Credentials
O365 Suspicious Admin Email Forwarding
O365 Suspicious Rights Delegation
O365 Suspicious User Email Forwarding
O365 Tenant Wide Admin Consent Granted
Correlation by Repository and Risk
Correlation by User and Risk
Any Powershell DownloadFile
Any Powershell DownloadString
Attacker Tools On Endpoint
Create local admin accounts using net exe
Create Remote Thread In Shell Application
Creation of Shadow Copy
Detect Certify Command Line Arguments
Detect Certify With PowerShell Script Block Logging
Detect Excessive Account Lockouts From Endpoint
Detect New Local Admin account
Detect Regasm with Network Connection
Detect Regsvcs with Network Connection
Detect Use of cmd exe to Launch Script Interpreters
Disable Show Hidden Files
Disable Windows SmartScreen Protection
Disabling ControlPanel
Disabling SystemRestore In Registry
Download Files Using Telegram
Elevated Group Discovery with PowerView
Executable File Written in Administrative SMB Share
Executables Or Script Creation In Suspicious Path
Execute Javascript With Jscript COM CLSID
Execution of File with Multiple Extensions
Extraction of Registry Hives
Hiding Files And Directories With Attrib exe
Linux Account Manipulation Of SSH Config and Keys
Linux Deletion Of Cron Jobs
Linux Deletion Of Init Daemon Script
Linux Deletion Of Services
Linux Deletion of SSL Certificate
Linux High Frequency Of File Deletion In Boot Folder
Linux High Frequency Of File Deletion In Etc Folder
MacOS LOLbin
MacOS plutil
Network Discovery Using Route Windows App
Non Chrome Process Accessing Chrome Default Dir
Non Firefox Process Access Firefox Profile Dir
Overwriting Accessibility Binaries
PowerShell - Connect To Internet With Hidden Window
Rundll32 Process Creating Exe Dll Files
Scheduled Task Deleted Or Created via CMD
Schtasks scheduling job on remote system
Spoolsv Spawning Rundll32
Spoolsv Writing a DLL
Spoolsv Writing a DLL - Sysmon
Suspicious Driver Loaded Path
Suspicious mshta child process
Suspicious Process DNS Query Known Abuse Web Services
Suspicious Process File Path
System Processes Run From Unexpected Locations
Trickbot Named Pipe
Windows Account Discovery for None Disable User Account
Windows AD Replication Request Initiated by User Account
Windows AD Replication Request Initiated from Unsanctioned Location
Windows Admin Permission Discovery
Windows Alternate DataStream - Base64 Content
Windows Alternate DataStream - Executable Content
Windows Credentials from Password Stores Chrome Extension Access
Windows Credentials from Password Stores Chrome LocalState Access
Windows Credentials from Password Stores Chrome Login Data Access
Windows Gather Victim Network Info Through Ip Check Web Services
Windows Process Injection Remote Thread
Windows Registry Payload Injection
Windows Replication Through Removable Media
Windows Rundll32 WebDav With Network Connection
Windows Scheduled Task Created Via XML
Windows Scheduled Task Service Spawned Shell
Windows Security Account Manager Stopped
Windows Suspect Process With Authentication Traffic
Windows UAC Bypass Suspicious Child Process
Windows UAC Bypass Suspicious Escalation Behavior
Windows WinLogon with Public Network Connection
WinEvent Scheduled Task Created Within Public Path
Detect DGA domains using pretrained model in DSDL
DNS Query Length With High Standard Deviation
Multiple Archive Files Http Post Traffic
Plain HTTP POST Exfiltrated Data
Playbooks Updated
Splunk Automated Email Investigation
Other Updates
v4.23.0
3 months ago
Release notes for ESCU v4.23.0
New Analytics Story
Jenkins Server Vulnerabilities
Updated Analytics Story
New Analytics
Splunk Information Disclosure in Splunk Add-on Builder
Kubernetes Anomalous Inbound Network Activity from Process
Kubernetes Anomalous Outbound Network Activity from Process
Kubernetes Anomalous Traffic on Network Edge
Kubernetes Create or Update Privileged Pod
Kubernetes Cron Job Creation
Kubernetes DaemonSet Deployed
Kubernetes Falco Shell Spawned
Kubernetes newly seen TCP edge
Kubernetes newly seen UDP edge
Kubernetes Node Port Creation
Kubernetes Pod Created in Default Namespace
Kubernetes Pod With Host Network Attachment
Kubernetes Scanning by Unauthenticated IP Address
Windows Impair Defense Change Win Defender Health Check Intervals
Windows Impair Defense Change Win Defender Quick Scan Interval
Windows Impair Defense Change Win Defender Throttle Rate
Windows Impair Defense Change Win Defender Tracing Level
Windows Impair Defense Configure App Install Control
Windows Impair Defense Define Win Defender Threat Action
Windows Impair Defense Disable Controlled Folder Access
Windows Impair Defense Disable Defender Firewall And Network
Windows Impair Defense Disable Defender Protocol Recognition
Windows Impair Defense Disable PUA Protection
Windows Impair Defense Disable Realtime Signature Delivery
Windows Impair Defense Disable Web Evaluation
Windows Impair Defense Disable Win Defender App Guard
Windows Impair Defense Disable Win Defender Compute File Hashes
Windows Impair Defense Disable Win Defender Gen reports
Windows Impair Defense Disable Win Defender Network Protection
Windows Impair Defense Disable Win Defender Report Infection
Windows Impair Defense Disable Win Defender Scan On Update
Windows Impair Defense Disable Win Defender Signature Retirement
Windows Impair Defense Overide Win Defender Phishing Filter
Windows Impair Defense Override SmartScreen Prompt
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Windows MsiExec HideWindow Rundll32 Execution
Windows Process Injection In Non-Service SearchIndexer
Jenkins Arbitrary File Read CVE-2024-23897
Updated Analytics
Kubernetes Access Scanning
Kubernetes Anomalous Inbound Outbound Network IO
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
Kubernetes AWS detect suspicious kubectl calls
Kubernetes Previously Unseen Container Image Name
Kubernetes Previously Unseen Process
Kubernetes Process Running From New Path
Kubernetes Process with Anomalous Resource Utilisation
Kubernetes Process with Resource Ratio Anomalies
Kubernetes Shell Running on Worker Node
Kubernetes Shell Running on Worker Node with CPU Activity
Disable Windows SmartScreen Protection
Linux Service Started Or Enabled
Unknown Process Using The Kerberos Protocol
Windows Excessive Disabled Services Event
Other Updates
Added a new input macro
sourcetype="kube:container:falco"
Playbook Updates
Splunk Attack Analyzer Dynamic Analysis
Splunk Automated Email Investigation
Splunk Identifier Activity Analysis
Splunk Message Identifier Activity Analysis
v4.22.0
3 months ago
New Analytics Story
Confluence Data Center and Confluence Server Vulnerabilities
New Analytics
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Updated Analytics
Confluence Data Center and Server Privilege Escalation
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Ivanti Connect Secure Command Injection Attempts
v4.21.0
3 months ago
Release notes for ESCUv4.21.0
New Analytics Story
Updated Analytics Story
Splunk Vulnerabilities
New Analytics
Splunk Enterprise KV Store Incorrect Authorization
Splunk Enterprise Windows Deserialization File Partition
Updated Analytics
Splunk risky Command Abuse disclosed february 2023
Other Updates
Updated splunk_risky_command lookup with a new
splunk_risky_command_20240122.csv
file
« Previous
Next »
Home
Projects
Resources
Alternatives
Blog
Sign In
Sign In to OSA
I agree with
Terms of Service
and
Privacy Policy
Sign In with Github